Sunday, February 9, 2014

In my last post, we covered adding the VM requester's AD account to local administrators on the guest. This is a quick and dirty way to getting the machine requester up and running with their new VM. However, many organizations prefer to use AD security groups for this kind of access. In fact, if you use an AD group to control local admins for a Windows VM, then you can create actions for the provisioned VM so that the owner can assign local admin to whomever they wish.

In this post we will cover the following use case - a new VM is requested and as it is being provisioned, a new AD security group will be created in a designated OU with the name of the VM and some custom suffix (like "vmname-localadm"). The requester of the VM will be placed into this group by default and the new group will be added to local admins on the machine after it has been built and customized.

Wednesday, February 5, 2014

This is a request that I get frequently. The person requesting a Windows VM needs to be a local administrator, so that after the VM is provisioned they can begin to access via RDP and perform tasks that require this level of access (install software, for example).

This can be accomplished using the Guest Agent for vCAC. Installing the Guest Agent on the VM template allows vCAC to perform many post-build activities such as running scripts. In this post I will show how you can use the Guest Agent to run a script that will add the requester of the machine to local administrators group.

Note: Post updated with a new script that accepts UPN (as provided by vCAC 6.0) or sAMAccount (as provided by vCAC 5.2). Thanks to Sam Pursch for testing and suggesting the fix!